Spy agencies secretly rely on hackers

The governments of the USA, UK and Canada characterize hackers as a criminal menace, warn of the threats they allegedly pose to critical infrastructure, and aggressively prosecute them, but they are also secretly exploiting their information and expertise, according to top secret documents.

In some cases, the surveillance agencies are obtaining the content of emails by monitoring hackers as they breach email accounts, often without notifying the hacking victims of these breaches.

“Hackers are stealing the emails of some of our targets… by collecting the hackers’ ‘take,’ we . . . get access to the emails themselves,” reads one top secret 2010 National Security Agency document. These and other revelations about the intelligence agencies’ reliance on hackers are contained in documents provided by whistleblower Edward Snowden. The documents — which come from the UK Government Communications Headquarters agency and NSA — shed new light on the various means used by intelligence agencies to exploit hackers’ successes and learn from their skills, while also raising questions about whether governments have overstated the threat posed by some hackers.

By looking out for hacking conducted “both by state-sponsored and freelance hackers” and riding on the coattails of hackers, Western intelligence agencies have gathered what they regard as valuable content:

Recently, Communications Security Establishment Canada (CSEC) and Menwith Hill Station (MHS) discovered and began exploiting a target-rich data set being stolen by hackers. The hackers’ sophisticated email-stealing intrusion set is known as INTOLERANT. Of the traffic observed, nearly half contains category hits because the attackers are targeting email accounts of interest to the Intelligence Community. Although a relatively new data source, [Target Offices of Primary Interest] have already written multiple reports based on INTOLERANT collect.

The hackers target a wide range of diplomatic corps, human rights and democracy activists and even journalists:

INTOLERANT traffic is very organized. Each event is labeled to identify and categorize victims. Cyber attacks commonly apply descriptors to each victim – it helps herd victims and track which attacks succeed and which fail. Victim categories make INTOLERANT interesting:

A = Indian Diplomatic & Indian Navy

B = Central Asian diplomatic

C = Chinese Human Rights Defenders

D = Tibetan Pro-Democracy Personalities

E = Uighur Activists

F = European Special Rep to Afghanistan and Indian photo-journalism

G = Tibetan Government in Exile

In those cases, the NSA and its partner agencies in the United Kingdom and Canada were unable to determine the identity of the hackers who collected the data, but suspect a state sponsor “based on the level of sophistication and the victim set.” In instances where hacking may compromise data from the USA and UK governments, or their allies, notification was given to the “relevant parties.”

In a separate document, GCHQ officials discuss plans to use open source discussions among hackers to improve their own knowledge. “Analysts are potentially missing out on valuable open source information relating to cyber defence because of an inability to easily keep up to date with specific blogs and Twitter sources,” according to one document.

GCHQ created a program called LOVELY HORSE to monitor and index public discussion by hackers on Twitter and other social media. The Twitter accounts designated for collection in the 2012 document:

These accounts represent a cross section of the hacker community and security scene. In addition to monitoring multiple accounts affiliated with Anonymous, GCHQ monitored the tweets of Kevin Mitnick, who was sent to prison in 1999 for various computer and fraud related offenses. The US Government once characterized Mitnick as one of the world’s most villainous hackers, but he has since turned security consultant and exploit broker.

Among others, GCHQ monitored the tweets of reverse-engineer and Google employee, Thomas Dullien. Fellow Googler Tavis Ormandy, from Google’s vulnerability research team Project Zero, is featured on the list, along with other well known offensive security researchers, including Metasploit’s HD Moore and James Lee (aka Egypt) together with Dino Dai Zovi and Alexander Sotirov, who at the time both worked for New York-based offensive security company, Trail of Bits (Dai Zovi has since taken up a position at payment company, Square). The list also includes notable anti-forensics and operational security expert “The Grugq.”

GCHQ monitored the tweets of former NSA agents Dave Aitel and Charlie Miller, and former Air Force intelligence officer Richard Bejtlich as well as French exploit vendor, VUPEN (who sold a one year subscription for its binary analysis and exploits service to the NSA in 2012).

The GCHQ document states that they “currently have a list of around 60 blog and Twitter sources” that were identified by analysts for collection. A prototype of the LOVELY HORSE program ensured that “Twitter smart messenger and (and subject to legal/security approval) blog content [was] manually scraped and uploaded to GCDesk.” A later version would upload content in real time.

Several of the accounts to be mined for expertise are associated with the hactivist collective Anonymous. Documents previously published by The Intercept reveal extensive, and sometimes extreme, tactics employed by GCHQ to infiltrate, discredit and disrupt that group. The agency employed some of the same hacker methods against Anonymous (e.g., mass denial of service) as governments have prosecuted Anonymous for using.

A separate GCHQ document details the open-source sites monitored and collected by the agency, including blogs, websites, chat venues and Twitter. It describes Twitter messenger monitoring undertaken for “real-time alerting to new security issues reported by known security professionals, or planned activity by hacking groups, e.g. Anonymous.” The agency planned to expand its monitoring and aggregation program to a wide range of web locations, including IRC chat rooms and Pastebin, where “an increasing number of tip-offs are coming from . . . as this is where many hackers anonymously advertise and promote their exploits, by publishing stolen information.”

One classified document casts serious doubt on warnings about the threat posed by Anonymous (in early 2012 then-NSA chief Keith Alexander reportedly warned that Anonymous could shut down parts of the power grid).

That document, containing “talking points” prepared by Jessica Vielhuber of the National Intelligence Council in September 2011 for a NATO meeting on cyber-threats, describes the threat from Anonymous as relatively small. “Although ‘hacktivist’ groups such as Anonymous have made headlines recently with their theft of NATO information, the threat posed by such activity is minimal relative to that of nation-states,” she wrote.

In response to The Intercept‘s questions, an agency spokesperson said that “NSA will not comment on the Intercept’s speculation,” and noted that NSA “defends the nation and our allies from foreign threats while going to great lengths to safeguard privacy and civil liberties.” The spokesperson added that “over the last year, at the president’s direction, the U.S. intelligence community engaged in an unprecedented effort to examine and strengthen the privacy and civil liberty protections afforded to all people, regardless of nationality.”

GCHQ declined to answer questions for this article, or to comment on the programs involved, but instead provided a boiler plate statement, which says the agency’s work is legal and subject to government oversight. “It is longstanding policy that we do not comment on intelligence matters,” the agency notes.